Mustafa Al-Bassam created this list. He deserves all the credit. I just converted it to a table and sorted by Heartbleed vulnerability status. According to Musalbas, this list was valid as of April 8, 2014 12:00 UTC. Vulnerability status may have changed since then. To check if a site is still vulnerable, use this tool.

Websites Not Vulnerable

According to Musalbas’ test, these websites are not vulnerable, presumably because they do not use OpenSSL. You’ll notice Facebook and every Google and Amazon property on this list. Good news for most casual web users.

Websites Without SSL

According to Musalbas’ test, these websites do not use SSL. As one commenter pointed out below, it’s extremely unlikely that these websites have no form of SSL at all. In testing them, it appears that if sites use third-party services like VeriSign, as Walmart and Verizon do, the HTTPS data is processed at VeriSign’s hostname, not Walmart or Verizon’s.

Update: this post was first published without any explanation of “websites without SSL.” My apologies if this was misleading to any readers. My thanks to an anonymous commenter for highlighting that point of confusion.